">
EIP

The Exploit Intelligence
Platform

Aggregating, correlating, and enriching vulnerability and exploit data from 14+ sources into a unified intelligence layer for security professionals and AI agents.

exploit-intel.com 339K+ CVEs 77K+ Exploits 17 MCP Tools
A project by The Exploit Intelligence Platform
The Basics

What is EIP?

Software has bugs. Some bugs are security vulnerabilities. Some vulnerabilities have public exploit code. EIP tracks all of it - every known vulnerability, every public exploit, every signal that tells you what matters.

Vulnerabilities

CVEs - unique identifiers for security flaws in software. EIP ingests them from NVD, CVE.org, and 12 other sources to build the most complete picture available.

Exploits

Proof-of-concept code that demonstrates how to trigger a vulnerability. EIP collects exploits from Metasploit, ExploitDB, GitHub, and more - then ranks them by reliability.

Intelligence

Raw data is not enough. EIP correlates exploits to CVEs, flags active exploitation, scores risk with EPSS, and uses AI to classify every exploit for attack type and reliability.

Overview

How It Works

A continuous data pipeline ingests from 14 sources, normalizes everything into PostgreSQL, enriches with AI analysis, and serves it through a web UI, REST API, and MCP server for AI assistants.

Ingest

14 data sources crawled 4x daily via 22-step pipeline

Normalize

Match exploits to CVEs, deduplicate, rank by quality

Enrich

AI title generation, exploit analysis, trojan detection

Store

PostgreSQL 16 with materialized views and full-text search

Serve

Web UI, REST API, MCP server, CLI tool, RSS feeds

14 sources - 22 pipeline steps - 4x daily - fully automated
From raw CVE data to actionable intelligence, no human intervention.
Scale

The Numbers

A real-time snapshot of everything the platform tracks - updated four times daily via a 22-step automated pipeline.

339K
CVEs Tracked
77K
Total Exploits
53K
CVEs with Exploits
1,551
CISA KEV
3,948
Nuclei Templates
49K
Vendors
42K
Researchers
14
Data Sources
The Challenge

Too Many CVEs, Too Little Context

Security teams are drowning in vulnerability data. The real skill is knowing which vulnerabilities actually matter - and that requires correlating data from dozens of fragmented sources.

The Problem

  • 40,000+ new CVEs published per year
  • NVD alone gives you severity - not exploitability
  • Exploit code is scattered across GitHub, ExploitDB, Metasploit, and research blogs
  • No single source tells you if a CVE is being exploited in the wild
  • Triaging manually takes expert-level skill and hours of research per CVE

The EIP Solution

  • Aggregate 14+ sources into one normalized database
  • Automatically match exploits to their CVEs
  • Flag active exploitation from CISA KEV, VulnCheck, InTheWild, and EUVD
  • Score every CVE with EPSS exploitation probability
  • AI-classify every exploit for attack type, complexity, and reliability
Architecture

The Ingestion Pipeline

A 22-step orchestration script runs 4x daily via systemd. It pulls from 7 git repos, 8 APIs, generates AI titles, analyzes exploits, discovers Docker labs, and syncs everything to production.

Phase 0
Git pull 7 data repos (NVD, ExploitDB, Metasploit, GHSA, Nuclei, NomiSec, CVEList) with change tracking via diff manifests
Phase 1
File-based ingest - parse local repos into PostgreSQL. NomiSec, ExploitDB, GHSA, Nuclei, Metasploit, CVEList, CWE catalog
Phase 2
NVD enrichment + AI title generation via rule engine and Ollama LLM (devstral-2) for CVEs the rules cannot handle
Phase 3
API-based enrichment - CISA KEV, EPSS, VulnCheck, InTheWild, EUVD, OSV, PatchaPalooza, GitHub search, GitLab search
Phase 4
Post-processing - fetch PoC source code, harvest GitHub refs, Docker lab discovery, LLM exploit analysis with 5 workers
Phase 5-8
Pre-CVE matching, orphan cleanup, consistency checks, dashboard refresh, SQLite export, archive sync, email report
22 Steps 4x Daily flock Locking Email Reports
Source 01

National Vulnerability Database

The foundational dataset - NIST's comprehensive catalog of every CVE with severity scores, affected products, and references. EIP parses the NVD API 2.0 JSON format from a local git clone.

What it provides
CVE ID, description, CVSS v3.1/v3.0 scores, CWE classification, publication status, affected products (vendor, product, CPE, version ranges), and reference URLs with type tags
How it works
Parses JSON files from a local NVD git clone. Cross-references CVE.org cvelistV5 metadata for authoritative publication state. Incremental via git-diff manifests - only processes changed files.
Smart features
URL sanitization for common NVD typos. Reference type inference from 60+ domain heuristics (GitHub = patch, ExploitDB = exploit, etc). Guards against data corruption - never demotes published CVEs or regresses non-null fields to null.
Scale
339,495 vulnerabilities processed. Periodic flush every 1,000 records. Cross-references CNA titles from CVE.org for CVEs NVD has not yet enriched.
Git Clone Incremental CVSS v3.1
Source 02

CISA Known Exploited Vulnerabilities

The US government's authoritative list of CVEs confirmed to be actively exploited in the wild. If it is on the KEV list, someone is using it to break into real systems right now.

What it provides
Binary exploitation signal - marks CVEs with is_kev=True and records the date CISA added it. Federal agencies are required to patch KEV entries within deadlines.
How it works
Downloads the CISA KEV JSON catalog via HTTP on every pipeline run. Matches against existing CVEs in the database. Simple and reliable - the catalog is small (~1,551 entries) but extremely high-signal.
Why it matters
KEV is the gold standard for "this vulnerability is being exploited." It cuts through the noise of 339K CVEs and tells you exactly which ones attackers are actively targeting.
Coverage
1,551 CVEs confirmed exploited. Updated daily by CISA. EIP tracks the kev_added_at timestamp to measure how quickly exploitation was recognized.
Active Exploitation HTTP API Daily Updates
Source 03

EPSS - Exploit Prediction Scoring

A machine learning model from FIRST.org that predicts the probability of a CVE being exploited in the next 30 days. Unlike CVSS (severity), EPSS measures actual exploitability.

What it provides
Two scores per CVE: epss_score (probability 0-100% of exploitation in 30 days) and epss_percentile (relative ranking among all CVEs). Scores above 90% are extremely high risk.
How it works
Downloads the daily EPSS gzip-compressed CSV from FIRST.org. Uses diff-based incremental processing - caches the previous CSV and only updates changed scores. Batch updates in chunks of 500.
Why it matters
CVSS tells you how bad a vulnerability could be. EPSS tells you how likely it is to actually be exploited. A CVSS 10.0 with EPSS 0.1% is less urgent than a CVSS 7.0 with EPSS 95%.
Coverage
321,850 CVEs scored. Updated daily. EIP uses EPSS for prioritized sorting and risk assessment in the audit_stack MCP tool.
ML-Powered Diff-Based Daily Refresh
Source 04

ExploitDB

The oldest and most curated public exploit archive. Run by OffSec, every entry is reviewed before publication. EIP parses the full CSV catalog and source code from a local git clone.

What it provides
Curated exploit code with CVE mappings, author attribution, platform/type classification, and verification status. Entries include EDB IDs, OSVDB cross-references, and the actual exploit source files.
How it works
Parses files_exploits.csv from a local git clone. Maps exploits to CVEs via the codes field. For entries without a CVE match, creates vulnerability stubs with status='pre_cve' and sequence-based EIP IDs.
Smart features
Detects programming language from 13 file extensions. Parses author strings and links to the normalized authors table. Records alternate identifiers (EDB, OSVDB). Incremental via git-diff manifests.
Coverage
~46,000 exploits cataloged. OffSec-curated quality. EIP also fetches the actual source code files and serves them through the code viewer.
Curated Git Clone Source Code
Source 05

GitHub PoC Search

Two crawlers search GitHub for proof-of-concept exploit repositories - the Search API for individual repos and a monorepo scanner that discovers multi-CVE collections via the Git Tree API.

GitHub Search Crawler
Searches GitHub API for PoC repos by CVE year and language across 11 search templates. Token rotation for rate limit management. 50MB size cap, blocked name patterns to filter out kernel forks, AOSP repos, and generic collection repos.
Monorepo Scanner
Discovers multi-CVE collection repos via search, then scans Git Tree API for CVE-named directories. Filters repos with 2-200 CVEs. Blocked list excludes known aggregators (trickest, nomi-sec, nuclei-templates).
Quality signals
Extracts stars, forks, language, fork status per repo. Hard filters reject repos over 50MB and name patterns matching kernel forks, Android framework, or generic names. Deduplicates against NomiSec repos.
Incremental
Cursor-based pagination saves progress between runs. Token rotation across multiple GitHub PATs to maximize API throughput. Dry-run mode available for testing.
Token Rotation Junk Filtering Cursor-Based
Source 06

NomiSec PoC Index

The nomi-sec/PoC-in-GitHub project maintains a curated, continuously-updated JSON index of GitHub repositories containing CVE proof-of-concept exploits - one of EIP's largest exploit sources.

What it provides
Structured JSON catalog of GitHub PoC repositories organized by CVE ID. Each entry includes repo URL, owner, description, stars, forks, primary language, creation and update dates.
How it works
Parses JSON files from a local git clone of the nomi-sec/PoC-in-GitHub repository. Links authors via the repo owner handle. Incremental processing via EIP_CHANGED_NOMISEC git-diff manifest.
Why it matters
NomiSec serves as the baseline PoC index. The GitHub Search crawler deduplicates against NomiSec to avoid double-counting repos. Combined, they give EIP near-complete coverage of GitHub-hosted exploits.
Scale
Tracks PoC repos across 53,000+ CVEs. Updated with each pipeline run via git pull. The curated nature means higher signal-to-noise than raw GitHub search.
Git Clone Incremental Curated Index
Source 06

Metasploit Framework

The world's most widely used penetration testing framework. Metasploit modules represent the highest quality exploit code - peer-reviewed, reliability-ranked, and weaponized for real engagements.

What it provides
Exploit and auxiliary modules with CVE references, module name, description, authors, reliability rank, and platform targets. Multi-CVE modules create one exploit entry per matched CVE.
How it works
Parses Ruby .rb module files from a local metasploit-framework clone. Scans modules/exploits/ and modules/auxiliary/. Extracts CVE refs via regex from both literal patterns and MSF reference format.
Quality ranking
Maps Metasploit ranks to quality tiers: ExcellentRanking and GreatRanking become "weaponized" - everything else becomes "functional." This ranking drives EIP's exploit prioritization.
Why it matters
A Metasploit module means the exploit has been tested, packaged, and can be deployed with a single command. EIP always ranks Metasploit modules at the top of exploit results.
Weaponized Git Clone Ruby Parsing
Source 07

Nuclei Templates

ProjectDiscovery's community-driven vulnerability scanner templates. Each template is a YAML-based detection signature that can verify if a target is vulnerable - without exploitation.

What it provides
Template ID, author, severity, tags, CVSS score/vector, CWE, vendor/product metadata, description, impact, remediation guidance, and recon dork queries for Shodan, FOFA, and Google.
How it works
Parses CVE-*.yaml files from a local nuclei-templates clone. Upserts into the nuclei_templates table using PostgreSQL's ON CONFLICT DO UPDATE. Sets has_nuclei_template=True on matching CVEs.
Recon dorks
Each template can include Shodan queries, FOFA queries, and Google dorks for finding vulnerable targets. EIP extracts and serves these through the get_nuclei_templates MCP tool.
Coverage
3,948 CVEs have Nuclei detection templates. Templates are community-contributed and verified. EIP handles list values by joining with || delimiters.
Detection YAML Parsing Recon Dorks
Source 09

InTheWild

Two complementary feeds from InTheWild.io - an exploitation signal API that confirms which CVEs are being exploited in the wild, and a repo tracker that discovers GitHub PoC repositories from a community-maintained SQLite database.

Exploitation Signal API
Fetches from inthewild.io/api/exploited (no auth required). Sets is_exploited_wild=True and wild_reported_at on matching CVEs. Retry logic with 3 attempts for read timeouts. ~1,927 CVEs confirmed exploited.
Exploit Repo Tracker
Downloads SQLite DB from R2 CDN with conditional GET (If-Modified-Since). Extracts GitHub repo URLs containing CVE IDs. Verifies repos still exist via GitHub API with token rotation. Marks dead repos as GONE for future dedup.
Smart filtering
Skips CVEs that already have 6+ exploits in the database to avoid diminishing returns. Only adds repos not already tracked from other sources (NomiSec, GitHub Search).
Why it matters
InTheWild provides an independent exploitation signal outside of CISA KEV and VulnCheck. Multiple corroborating signals increase confidence that a CVE is genuinely being targeted.
Wild Exploits Conditional GET Repo Verification
Source 10

VulnCheck KEV

A commercial-grade exploitation catalog that goes beyond CISA KEV with ransomware campaign attribution, earliest exploitation dates, and cross-database exploit repository tracking.

What it provides
Exploitation confirmation with ransomware campaign attribution (ransomware_use), earliest reported exploitation dates, and VulnCheck XDB exploit repository links with attack type classification.
How it works
Downloads a bulk ZIP via pre-signed S3 URL from the VulnCheck v3 backup API (requires API key). Extracts JSON and marks matching CVEs. Second phase processes vulncheck_xdb exploit repos.
Attack type upgrades
Upgrades generic "poc" exploit labels to specific attack types using an XDB type map: remote, local, infoleak, client-side, remote-auth, and DoS. Filters repos to GitHub and GitLab only (Gitee excluded).
Ransomware tracking
Parses vulncheck_reported_exploitation reports for earliest exploitation dates, filtering out epoch-zero junk entries. Links CVEs to named ransomware campaigns.
Ransomware Bulk ZIP Attack Types
Source 11

GitHub Security Advisories

GitHub's advisory database provides package-level vulnerability data across 8 software ecosystems. EIP uses it to enrich CVEs with the specific library versions affected - critical for developers triaging supply chain risk.

What it provides
GHSA alternate identifiers for CVEs and package-level affected product data with ecosystem classification, vulnerable version ranges, and patched version information.
How it works
Parses advisory JSON from a local clone of the advisory-database repo. Creates GHSA alt_identifiers and enriches affected_products with ecosystem data. Incremental via EIP_CHANGED_GHSA manifest.
8 Ecosystems
npm, pip (PyPI), maven, go, crates.io, nuget, packagist, rubygems - covering the vast majority of open-source package managers where supply chain vulnerabilities are found.
Why it matters
NVD tracks CVEs at the product level. GHSA adds package-level granularity - you can search EIP by ecosystem (e.g., "show me all npm vulnerabilities with exploits") for targeted supply chain audits.
Git Clone 8 Ecosystems Supply Chain
Source 12

OSV - Open Source Vulnerabilities

Google's OSV database provides structured vulnerability data for open-source ecosystems. EIP currently ingests the Linux ecosystem for kernel vulnerability tracking with precise version range data.

What it provides
OSV-format vulnerability records with CVE aliases, affected version ranges, and ecosystem-specific identifiers. Each entry maps to one or more CVEs in the EIP database.
How it works
Downloads bulk ZIP from osv-vulnerabilities.storage.googleapis.com (currently Linux ecosystem). Parses OSV JSON, maps to CVEs via aliases, adds OSV IDs as alternate identifiers.
Linux kernel focus
Enriches affected products with kernel version data - exact commit ranges and version boundaries. This precision is essential for kernel security teams who need to know exactly which versions are vulnerable.
Alt ID resolution
OSV IDs serve as alternate identifiers, enabling lookups via the lookup_alt_id MCP tool. Users can search by OSV ID and get back the full CVE intelligence brief.
Bulk ZIP Linux Kernel Google OSV
Source 13

CVEList - CVE.org CNA Records

CVE.org publishes CVE records from CNAs (CVE Numbering Authorities) before NVD processes them. EIP ingests these early records to get vulnerability data hours or days ahead of NVD enrichment.

What it provides
CVE JSON 5.x records from CNA submissions. Includes title, description, CWE classification, published date, affected products, and references - often before NVD has processed the CVE.
How it works
Parses JSON from a local clone of the cvelistV5 repository. Creates new vulnerability rows or enriches existing ones. Extracts affected products and references with normalization helpers. Incremental via EIP_CHANGED_CVELISTV5 manifest.
Pre-NVD advantage
NVD can take days to enrich new CVEs. CVEList data fills this gap - EIP users see new vulnerabilities as soon as the CNA publishes them, not when NVD gets around to scoring them.
IndexNow
Triggers IndexNow URL submission for newly published CVEs, ensuring search engines index new vulnerability pages within hours of publication.
Pre-NVD IndexNow Git Clone
Source 14

CWE Catalog - MITRE

MITRE's Common Weakness Enumeration taxonomy classifies vulnerability types - buffer overflows, SQL injection, XSS, and hundreds more. EIP uses CWE data for categorization, title generation, and the CWE browser.

What it provides
CWE entries with name, description, parent relationships, and likelihood of exploit. These classify every CVE by vulnerability type - critical for understanding what kind of flaw a CVE represents.
How it works
Downloads cwec_latest.xml.zip from MITRE. Parses XML with defusedxml (hardened against XXE attacks). Upserts into the cwe_catalog table. Preserves manually-set short_label values.
Title generation
CWE labels are a key input to the rule-based title engine. A CVE affecting "Apache HTTP Server" with CWE-79 automatically gets a title mentioning "Cross-Site Scripting" without needing an LLM.
CWE browser
Powers the /cwe section of exploit-intel.com. Users can browse the top 200 CWEs by vulnerability count and drill into each to see affected CVEs.
XML Parse XXE-Safe Taxonomy
Sources 15-17

EUVD, PatchaPalooza, and GitLab

Three additional sources round out EIP's coverage - the EU's vulnerability database for European exploitation signals, PatchaPalooza's curated PoC index, and GitLab search for non-GitHub exploit repos.

EUVD

Paginates ENISA's EU Vulnerability Database search API for exploited entries. Maps EUVD IDs to CVEs via aliases. Sets is_euvd_exploited flag. 6-second delay between pages for rate compliance.

EU Signal

PatchaPalooza

Fetches curated PoC repos from patchapalooza.com/api/exploits. Converts SSH clone URLs to HTTPS for GitHub, Gitee, and GitLab. Cross-source deduplication prevents repo double-counting.

Curated

GitLab Search

Searches GitLab's API for PoC repositories, extending coverage beyond GitHub. Uses the same quality filtering and CVE matching pipeline. Requires GITLAB_TOKEN.

Beyond GitHub
17 crawlers - 77,762 exploits - 339,495 CVEs
Every public exploit, every known vulnerability, one platform.
Core Logic

The Correlation Engine

Raw data from 14 sources is meaningless without correlation. EIP matches every exploit to its CVE, ranks them by quality, and builds a unified intelligence picture for each vulnerability.

Exploit Matching

  • CVE references extracted from exploit metadata, code comments, and file names
  • Multi-CVE modules (Metasploit) create separate entries per CVE
  • Pre-CVE stubs created for exploits without CVE matches (EIP-ID sequence)
  • Cross-source deduplication prevents the same repo appearing from NomiSec, GitHub Search, and InTheWild

Exploit Ranking

  • Tier 1: Metasploit modules (weaponized, peer-reviewed)
  • Tier 2: Verified ExploitDB entries (curated by OffSec)
  • Tier 3: GitHub PoCs ranked by stars, forks, and language
  • Flagged: Trojans and backdoored exploits pushed to bottom with warnings
4
Exploitation signals (KEV, VulnCheck, InTheWild, EUVD)
8
Exploit sources correlated per CVE
61K+
Exploits AI-analyzed for type and reliability
AI Layer

AI Title Generation

339,493 of 339,495 CVEs have AI-generated titles - 99.99% coverage. A rule engine handles the common cases, and Ollama LLM handles the rest. Basis hashing detects when upstream data changes and titles need regeneration.

Rule engine (first pass)
Generates "Product Version - VulnType" titles using affected_products + CWE labels. 21 regex patterns covering RCE, SQLi, XSS, buffer overflow, privilege escalation, SSRF, prototype pollution, and more. Cleans vendor/product names, preserves acronyms (IBM, HP, SAP).
LLM fallback (second pass)
For CVEs with no product or CWE, calls Ollama devstral-2:123b-cloud with structured prompts. Multi-endpoint failover reads from .ollama_endpoints.txt. Supports basic auth.
Validation
Titles must be 8-120 chars, mention the anchor product/vendor, contain no placeholders ("Unknown"), and not be truncated ("..."). Bad candidates with slashes, "npm " prefixes, or repeated tokens are rejected.
Basis hashing
SHA-256 hash of all title-relevant inputs (status, description, vendor, product, version, CWE label). When upstream data changes, the hash changes, triggering title regeneration. Soft-title replacement only upgrades generic patterns.
devstral-2 99.99% Coverage SHA-256 Hashing
AI Layer

LLM Exploit Analysis

Every exploit gets analyzed by devstral-2 with 5 parallel workers. The AI classifies attack type, complexity, reliability, maps MITRE ATT&CK techniques, and detects trojans with deception indicators and IOCs.

Classification

working_poc, trojan, suspicious, scanner, stub, or writeup - determines what the code actually does

Attack Type

RCE, SQLi, XSS, DoS, LPE, auth_bypass, info_leak - what the exploit targets

Complexity

trivial, simple, moderate, complex - how much effort to use it

Reliability

reliable, unreliable, untested, theoretical - will it actually work

MITRE ATT&CK

Mapped techniques per exploit for threat modeling and detection engineering

Trojan Detection

Deception indicators, IOCs, backdoor mechanics, operator risk assessment, evidence snippets

61K+
Exploits Analyzed
5
Parallel Workers
6
Analysis Dimensions
Interface

The REST API

A FastAPI backend serving 21 endpoints with full-text search, 18 filter parameters, rate limiting via Valkey, and GZip compression. CORS-restricted to exploit-intel.com.

Vulnerability Search

GET /api/v1/vulns
Full-text search with 18 filters: severity, KEV, exploited, ransomware, has_exploits, has_nuclei, vendor, product, ecosystem, CWE, CVSS, EPSS, date ranges, sorting

CVE Detail

GET /api/v1/vulns/{cve_id}
Full intelligence brief: CVSS, EPSS, KEV status, ranked exploits with LLM analysis, affected products, Nuclei templates, references, alt IDs

Exploit Code

GET /api/v1/exploits/{id}/code
Source code viewer with path traversal prevention. Reads from tar.gz archives, directories, or single files. Password-protected ZIP download

Browse & Filter

GET /api/v1/exploits
Browse exploits by source, language, classification, attack type, complexity, reliability, author, stars, CVE, vendor, product

Statistics

GET /api/v1/stats/trends
13 time-series datasets: CVE volume, CWE breakdown, exploitation trends, EPSS calibration, time-to-exploit, KEV lag, Nuclei coverage

Authors & CWEs

GET /api/v1/authors, /cwe, /vendors
Researcher profiles, CWE categories with exploit likelihood, vendor rankings - all with pagination and search

FastAPI 60/min Rate Limit GZip Valkey Cache
The Frontend

exploit-intel.com

The public face of the platform - vulnerability search, exploit code viewer, statistics dashboards, labs, and comprehensive API documentation. Built with Jinja2 templates and 7 color themes.

Exploit Intelligence Platform
BlogStatisticsLabsCLI ToolMCP ServerAPI Docs
Updated 2h ago
339,495
CVEs Tracked
53,335
With Exploits
4,748
Exploited in Wild
1,551
CISA KEV
3,948
Nuclei Templates
49,233
Vendors
42,833
Researchers
Search vulnerabilities...
Search
Severity: All Has Exploits KEV Only EPSS > 0.7 Ransomware
CVE-2026-24289 CRITICAL
Windows Kernel IOCP Race Condition - Use After Free
KEV EPSS: 97.2% 3 Exploits
CVE-2026-3910 CRITICAL
V8 Maglev JIT Type Confusion in Chrome
Metasploit EPSS: 89.1%
CVE-2026-4105 HIGH
systemd-machined D-Bus Privilege Escalation
Nuclei 2 PoCs
Statistics /stats
CVE Monthly Volume
KEV Gaps - Exploited, No Public Code
CVE-2026-1847 - Cisco IOS XE
CVE-2026-2203 - Fortinet FortiOS
CVE-2025-9811 - Palo Alto PAN-OS
Docker Labs /labs
300+ verified exploit labs with Docker environments, PoC code, and technical writeups
Docker Verified 300+ Labs
22 Templates 3 RSS Feeds 7 Themes SEO Sitemaps
Analytics

Statistics Dashboard

13 interactive ECharts visualizations powered by materialized views. Live at exploit-intel.com/stats

CVE Monthly Volume
Published CVEs with 12-month moving average and CWE share
Published 12m avg CWE-89 CWE-787 CWE-862 CWE-125
0 1,500 3,000 4,500 6,000 2021 2022 2023 2024 2025
CWE Breakdown
Exploitation Signals
KEV ITW
Time-to-Exploit
P25 Med P75
EPSS Calibration
100% EPSS
ECharts Materialized Views 13 Charts exploit-intel.com/stats
AI Integration

MCP Server - 17 Tools

A Model Context Protocol server that gives AI assistants direct access to the entire EIP database. Search vulnerabilities, analyze exploits, audit technology stacks, and generate pentest findings - all from natural language.

search_vulnerabilities

Full-text CVE search with structured filters

get_vulnerability

Full intelligence brief for a specific CVE

get_exploit_code

Read exploit source code (50KB cap)

get_exploit_analysis

AI analysis: type, complexity, MITRE, trojans

audit_stack

Audit up to 5 technologies for exploitable vulns

generate_finding

Pentest report finding in Markdown

search_exploits

Browse exploits with structured filters

get_nuclei_templates

Detection templates + Shodan/FOFA dorks

+ 9 more tools

Authors, CWEs, vendors, products, stats, health, alt-ID lookup

stdio + HTTP 6 Prompts Rate Limited v0.3.15
AI Workflows

MCP Prompt Workflows

Six pre-built prompt workflows guide AI assistants through multi-step vulnerability research. Each workflow chains multiple MCP tools together for comprehensive analysis without manual orchestration.

investigate-cve

Deep-dive: get_vulnerability, analyze each exploit, read best code, fetch Nuclei templates

audit-stack

Technology stack audit with prioritized remediation report sorted by EPSS probability

pentest-finding

Professional pentest finding with enhanced remediation guidance in Markdown

threat-landscape

Vendor/product threat analysis with KEV, ransomware, and exploited-in-wild context

exploit-analysis

Safety-first exploit analysis with trojan detection before code review

trending-threats

Trending threats briefing with configurable time window and focus area

Multi-Step Autonomous 6 Workflows
Live Demo

MCP Server in Action

Real terminal recordings showing the MCP server connected to Claude Code - from setup to vulnerability research.

Remote MCP setup + tool flow
Hands-On

Docker Labs Pipeline

Automated discovery and verification of Docker-based exploit labs from 53K+ GitHub PoC repos. Every lab is scanned for safety, enriched with CVE metadata, and served through the web UI.

Discovery Pipeline

  • Harvest Docker images from 53K+ GitHub exploit repos
  • LLM safety scan to filter malicious lab environments
  • Build community_labs.json with 2,289 community labs
  • Generate labs.json from GHCR (63 EIP-verified labs)
  • Smart infra filtering - exclude base images and build tools

Web Integration

  • Labs page at /labs with EIP + community tabs
  • Each lab enriched with CVE title from the database
  • Docker pull commands and setup instructions
  • Linked from vulnerability detail pages
  • Rsynced to app servers after each pipeline run
2,289
Community Labs
63
EIP Labs
53K+
Repos Scanned
Deployment

Infrastructure

Production-grade deployment with redundant app servers, managed database, shared cache, and a dedicated ingest host - all behind a load balancer and Cloudflare CDN.

Load Balancer
DigitalOcean LB + Cloudflare CDN. TLS termination, health checks, geographic distribution.
exploit-intel.com
App Servers (x2)
Read-only FastAPI instances serving the web UI and REST API. Stateless - can scale horizontally.
Gunicorn + Uvicorn workers
Ingest Host
Dedicated server for all write operations. Runs the 22-step pipeline 4x daily via systemd timers. Hosts 7 git clones.
flock-based locking
PostgreSQL 16
Managed DigitalOcean database cluster. Stores 339K vulnerabilities, 77K exploits, 2M+ affected products, materialized views for stats.
30-day backup retention
Valkey Cache
Shared in-memory cache for rate limiting (60/min per IP), expensive query results (vendor/CWE aggregations), and session data.
Redis-compatible, open source
Repo Mirror
repo.exploit-intel.com - rsync mirror for exploit archives, SQLite offline DB, and lab data. Serves app servers and public downloads.
rsync over SSH
Features

Platform Features

Beyond search - the platform includes SEO landing pages, ecosystem browsers, RSS feeds, XML sitemaps, an AI chat assistant, and a CLI tool for terminal-based vulnerability research.

Focus Pages

6 curated landing pages: critical exploits, exploited with PoC, high EPSS, Nuclei templates, latest exploits, KEV gaps

12 Ecosystems

npm, PyPI, Maven, Go, NuGet, RubyGems, Packagist, Crates.io, Hex, SwiftURL, Linux, GitHub Actions

RSS Feeds

Three feeds: recent CVEs, CVEs with exploits, and new CISA KEV additions - for automated monitoring

Exploit Code Viewer

Syntax-highlighted source code browser with LLM analysis, backdoor review, and author profiles

AI Chat (Beta)

Password-gated AI assistant at /chat for natural language vulnerability research with 30-day sessions

CLI Tool

eip-search - terminal-based vulnerability lookup with formatted output for security researchers

Security

Built Secure by Default

An exploit database is a high-value target. Every layer of EIP is hardened - from XML parsing to exploit code serving, rate limiting to path traversal prevention.

Defense in Depth

  • defusedxml for all XML parsing (XXE prevention)
  • Path traversal prevention on exploit code endpoints
  • SVG intentionally excluded from image serving (XSS risk)
  • Exploit code never in server-rendered HTML (Google malware flags)
  • CORS restricted to exploit-intel.com, GET+OPTIONS only

Operational Security

  • Rate limiting: 60/min per IP via Valkey, IP whitelist support
  • Password-protected exploit ZIP downloads
  • noindex/nofollow on exploit code paths
  • Jinja2 autoescape on all templates (XSS prevention)
  • MCP server: null byte rejection, DNS-rebinding protection, 50KB code cap
Impact

Results

What the platform delivers - comprehensive vulnerability intelligence that no single source provides alone.

Coverage

  • 339,495 CVEs with 99.99% AI-generated titles
  • 77,762 exploits from 8 sources, ranked by quality
  • 53,335 CVEs matched to at least one public exploit
  • 3,948 Nuclei detection templates with recon dorks
  • 2,352 Docker labs for hands-on exploitation practice

Intelligence

  • 4 independent exploitation signals correlated per CVE
  • Ransomware campaign attribution via VulnCheck
  • 61K+ exploits analyzed by AI for type, complexity, and reliability
  • Trojan detection with deception indicators and IOCs
  • MITRE ATT&CK technique mapping for every analyzed exploit
Updated 4x daily - 22-step pipeline - 14 sources - 17 MCP tools
From raw CVE to actionable intelligence, fully automated.
EIP

The Exploit Intelligence
Platform

Comprehensive vulnerability and exploit intelligence - aggregated from 14 sources, enriched by AI, and accessible to both humans and machines.

339K
CVEs
77K
Exploits
14
Sources
17
MCP Tools
A project by The Exploit Intelligence Platform
exploit-intel.com